RepoRadar
Leave a Tip
Item detail

snyk/agent-scan

Agent Scan is an Apache-2.0 agent component inventory and threat scanner from Snyk that discovers installed MCP servers, harnesses, and agent skills on your machine, then scans them for prompt injections, sensitive-data handling, and malware payloads hidden in natural-language instructions. 2,587 stars, distributed as snyk-agent-scan on PyPI, supports Claude, Cursor, Windsurf, Gemini CLI, Amp, and

Open source Back to radar
Score8.4
Popularity82.0
Riskconditional
TierGold
Score breakdown
Usefulness8.0
Novelty9.0
Momentum8.0
Maturity8.3
Open-source/build8.4
Evidence7.2
Workflow potential9.9
Setup ease8.8

Popularity is tracked separately. Support, ads, sponsorships, and tips never affect these signals.

Why it matters

Useful for security teams that want one CLI to inventory and audit every MCP server, harness, and agent skill installed on a developer machine, and to flag prompt-injection or data-exfiltration patterns before they leak into production. Install via pip, run `snyk-agent-scan` against a config, and pipe the findings into your existing vulnerability dashboard.

Who should use it

security teams that need one CLI to inventory and audit every MCP server, harness, and skill on a developer machineplatform teams building threat-detection pipelines for the agent-skill ecosystemSnyk users who want the same vuln-scanning workflow extended to AI agent componentsDevSecOps leads who want to detect prompt-injection patterns and data-exfiltration attempts before MCP servers reach productioncompliance teams building evidence for AI-risk frameworks that require documented adversarial testing

Who should skip it

Skip if the source link, docs, or setup requirements do not match your workflow.

Risk explanation

scanning MCP configs will execute the commands they declare — run scans inside a sandbox or disposable environment when evaluating third-party configs; experimental CLI output (severity labels, issue codes, response structure) may change between releases — don't bake field names into production dashboards.

Evidence links

Closest alternatives / related signals

agent-securitymcpskillsprompt-injectionvulnerability-scannerinventorysnykpython